Valicert Inc. and its validation technology for digital certificates are no longer being relegated to technically obscure roles in electronic commerce security.
The Mountain View, Calif., company has just begun shipping the latest version of its validation authority, or VA, system. With the announcement came several indications that the company's notion of validation, something of a tough sell when it was new and not widely understood, is finding a place in the quickly evolving Internet security infrastructure.
What Valicert calls its third-generation Enterprise VA Suite 3.0 gets much deeper into business practices than just ascertaining that a digital credential has not expired or been revoked -- the basic definition of certificate validation.
The package has several "application level" features that go to the heart of what banks and other companies want to be doing on the World Wide Web. And in a tangible sign of business progress by Valicert, its technology is being incorporated in significant e-commerce efforts such as the Identrus multinational banking consortium, the U.S. government's ACES -- Access Certificates for Electronic Services -- project, and various aspects of the Sun-Netscape Alliance, which is an e-commerce venture of Sun Microsystems Inc. and America Online Inc.'s Netscape Communications subsidiary.
Officials of Valicert, which in September raised $23 million in mezzanine-stage financing from an international group led by Lucent Venture Partners, say three years of hard work in system development and market education are paying off.
Also in September, the company announced the opening of a European headquarters in Amsterdam, which president and chief executive officer Yosi Amram termed "another step in our mission to build a global validation network for secure e-commerce."
The digital certificates that many banks, government entities, and other "trusted third parties" view as a key to authenticating on-line trading partners will have to go through a validation step, the reasoning goes.
"The coming explosion in business-to-business transactions" will need this "critical enabler," said Valicert vice president of marketing and business development Sathvik Krishnamurthy. "Only Valicert is offering a complete, proven solution."
Among those sending kudos Valicert's way was Scott Lowry, president and CEO of Digital Signature Trust Co., a subsidiary of Zions Bancorp. of Salt Lake City and one of the first two vendors selected to provide the data encryption backbone for the government's ACES program.
Valicert's Enterprise VA Suite will be a part of the public key infrastructure systems of both Digital Signature Trust and the other approved ACES vendor, Operational Research Consultants Inc.
"With its third-generation product," Mr. Lowry said, "Valicert has shown the ability to provide the robust validation capabilities that may be required by a project of such magnitude as ACES." The program sets a standard for management of digital certificates to ensure secure communications between citizens and the government.
Daniel E. Turissini, vice president of Operational Research Consultants, said, "Because of the multivendor nature of this project, it is crucial to have universal validation services, and Valicert is the perfect solution."
The validation vendor is not alone in offering this service. Certco Inc. of New York recently added a validation component based on the OCSP -- On-line Certificate Status Protocol -- to its digital trust technology offering.
But Valicert has attempted to set a standard for flexibility and compatibility. It worked to make its VA interoperable with all major providers of certificate authority, or CA, systems, among them Baltimore Technologies, Entrust, GTE Cybertrust, Thawte, and Verisign.
"We are viewed as a trusted third party, neutral, because we are not competing as a CA," said Ram Krishnan, Valicert's director of product marketing.
David Ferris, president of Ferris Research, a San Francisco-based firm focusing on messaging technologies, said, "This is an important niche, dominated by one vendor, Valicert. It's strange the firm doesn't have any real competition."
Valicert's VA "provides a clearing-house function for users of digital-certificate-based applications," said Eric Hemmendinger, senior analyst at Aberdeen Group of Boston. "Automatically confirming the validity of digital certificates issued by multiple suppliers' CAs, the VA provides a valuable form of insurance critical for enterprises conducting e-business."
Mr. Krishnan said the company is also "agnostic" when it comes to technical protocols for validation. It will support CRL, or Certificate Revocation Lists; the CRL-Distribution Points variation; OCSP; and Certificate Revocation Trees, a Valicert invention.
"The mission always has been to validate any certificate, from any CA, any protocol, anywhere on the planet," Mr. Krishnan said. "It is tough to make that claim. We are backing it up."
Valicert is billing Enterprise VA Suite 3.0 as "the first complete, universal certificate validation solution."
Among the enhancements to one of the components, the server system that has been on the market two years, is a mechanism called Stateful Validation. Going beyond simple certificate verification, it enables validation of "things specific to the application's context," Mr. Krishnan said. In other words, the system can verify an aspect of a transaction other than a credential's validity, inquiring into a credit bureau or human resources data base, for example.
Valicert has described its validation function as equivalent to a credit card authorization. Mr. Krishnan extended the analogy for Stateful Validation: "It tells you not only that the credit card is good, but that the customer is authorized to buy $5,000 of stuff."
Enterprise VA 3.0 has been enhanced to serve networks of certificate authorities operating in multiple locations, such as Identrus. Banks will be both competing with each other and cooperating to obtain validations, which the Valicert framework can accommodate.
There is also a feature called Enterprise VA Mirroring, which enables data to be replicated or shared efficiently among several validation authorities that may be scattered around the world.
Such capabilities add up to "more integration (of VA) with business applications," Mr. Krishnan said. "The power of what we do is only as good as the applications we are supporting," and they range from Web servers and browser software to virtual private networks and secure e-mail.
"Customers really seem to be excited," Mr. Krishnan added. He said Valicert's selection for the forthcoming Identrus pilot and its signing of one of that consortium's founding banks, ABN Amro, will be followed by more banking industry contract announcements.
"We are feeling good that our message is getting out to the financial services industry," Mr. Krishnan said. "It is critically important to secure what they do, and they realize that their certificate technology is incomplete without validation."
